Search code examples
angularsecurity.net-coreidentityserver4

Logging out from Identity Server 4 won't log out from Client

I have a similar issue to https://github.com/IdentityServer/IdentityServer4/issues/3153

I'm using the Asp Net Identity and the EF Core combined sample, everything works correctly, database, seeding, api call except for when I try to log out from the IS page. It does not delete the .AspNetCore.Cookies which is the one keeping the user logged in on the client.

    [HttpPost]
    [ValidateAntiForgeryToken]
    public async Task<IActionResult> Logout(LogoutInputModel model)
    {

        // build a model so the logged out page knows what to display
        var vm = await BuildLoggedOutViewModelAsync(model.LogoutId);

        if (User?.Identity.IsAuthenticated == true)
        {
            _log.LogCustomInfo(LoggingType.Information, "<AUDIT>" + "Logout: User Is Authenticated" + "</AUDIT>");

            try
            {
                await _signInManager.SignOutAsync();
                await HttpContext.SignOutAsync(IdentityConstants.ApplicationScheme);
                await HttpContext.SignOutAsync(IdentityConstants.ExternalScheme);
                // raise the logout event
                await _events.RaiseAsync(new UserLogoutSuccessEvent(User.GetSubjectId(), User.GetDisplayName()));
            }
            catch (NotSupportedException)
            {
                _log.LogCustomInfo(LoggingType.Information, "<AUDIT>" + "Logout: SignOutAsync Not Supported" + "</AUDIT>");
            }

        }

        /* https://github.com/IdentityServer/IdentityServer4/issues/855 */
        // check if we need to trigger sign-out at an upstream identity provider

        // delete local authentication cookie
        Response.Cookies.Delete(".AspNetCore.Identity.Application");
        Response.Cookies.Delete("idserv.external");
        Response.Cookies.Delete("idserv.session");


        _log.LogCustomInfo(LoggingType.Information, "<AUDIT>" + "Logout: Trigger external signout " + vm.TriggerExternalSignout +  "</AUDIT>");

        if (vm.TriggerExternalSignout)
        {

            // build a return URL so the upstream provider will redirect back
            // to us after the user has logged out. this allows us to then
            // complete our single sign-out processing.
            string url = Url.Action("Logout", new { logoutId = vm.LogoutId });
            //url = _configuration["AppSettings:PostLogoutRedirectUri"]; 
            url = vm.PostLogoutRedirectUri;
            //url = "redirect.html";
                                            // this triggers a redirect to the external provider for sign-out
            _log.LogCustomInfo(LoggingType.Information, "<AUDIT>" + "Logout: Redirect to " + url +  "</AUDIT>");

            return SignOut(new AuthenticationProperties { RedirectUri = url }, vm.ExternalAuthenticationScheme);
        }

        return View("LoggedOut", vm);
    }

I have the same issue from the angular client and the MVC application.

If I manually delete .AspNetCore.Identity.Application the client is logged out. I am authenticating with keycloak and using

    options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
    options.SignOutScheme = IdentityServerConstants.SignoutScheme;

In the startup IS configuration options.

Solution

  • I was able to logout by manually deleting the application cookie. I had a problem deleting it at first because I was not specifying the application path. After I specify the cookie path, I can delete the cookie.

      Response.Cookies.Delete(".AspNetCore.Identity.Application", new CookieOptions()
    {
        Path = "/eds-daas"
    });